b'                 U.S. Department of Agriculture\n\n                    Office of Inspector General\n                           Great Plains Region\n\n\n\n\n       Audit Report\n\n     Farm Service Agency\nPrice Support Loan Application\n\n\n\n\n                     Report No. 03099-195-KC\n                             September 2005\n\x0c\x0cExecutive Summary\nFarm Service Agency Price Support Loan Application\n(Audit Report No. 03099-195-KC)\n\nResults in Brief    This report presents the results of our audit of the price support loan\n                    application within the Farm Service Agency\xe2\x80\x99s (FSA) Automated Price\n                    Support System (APSS). Our overall objective was to assess whether\n                    the FSA had adequate management, security, and programming\n                    controls over its price support loan application. The FSA relies on the\n                    APSS to make and service commodity loans and loan deficiency\n                    payments, a critical function of the Commodity Credit Corporation\xe2\x80\x99s\n                    mission to stabilize, support, and protect farm income and prices.\n\n                    Overall, we found that FSA had generally implemented sufficient\n                    controls to ensure the integrity of the price support loan application\n                    system. However, our audit identified areas where improvements were\n                    warranted regarding application programming, access, and security.\n                    Specifically, we found that:\n\n                    \xe2\x80\xa2   weaknesses existed in several automated checks used to validate\n                        data in the price support loan application;\n\n                    \xe2\x80\xa2   controls over logical access, including passwords to its price\n                        support loan application, did not assure adherence to federal\n                        guidance because employees were required to divulge their\n                        passwords, and password intervals were not properly set;\n\n                    \xe2\x80\xa2   a lack of controls existed over transmission of data without the\n                        appropriate security measures;\n\n                    \xe2\x80\xa2   incomplete risk assessment documentation existed for the price\n                        support loan application; and\n\n                    \xe2\x80\xa2   contingency plans did not describe the expected recovery actions\n                        to be taken by county offices.\n\nRecommendations\nIn Brief            We recommend that the FSA:\n\n                    \xe2\x80\xa2   conduct a detailed analysis of the adequacy of the key validation\n                        controls for the price support application;\n\n                    \xe2\x80\xa2   develop and document validation controls to mitigate the specific\n                        weaknesses determined;\n\nUSDA/OIG-A/03099-195-KC                                                             Page i\n\x0c                   \xe2\x80\xa2   revise FSA direction on logical access control guidance to be\n                       consistent with Departmental requirements;\n\n                   \xe2\x80\xa2   ensure that employees who have made their passwords and user\n                       identifications available to others obtain passwords and user\n                       identifications in accordance with Departmental security guidance;\n\n                   \xe2\x80\xa2   consult with Office of the Chief Information Officer (OCIO) and\n                       implement adequate security to ensure that all sensitive data is\n                       transmitted securely in accordance with applicable requirements;\n\n                   \xe2\x80\xa2   conduct sufficient reviews of risk assessments to establish that all\n                       relevant information has been documented and considered as part\n                       of the assessment\xe2\x80\x99s development (e.g., network topology, list of\n                       system personnel, and connected applications) prior to acceptance\n                       of the work and payment; and\n\n                   \xe2\x80\xa2   revise contingency plans for county offices that will provide the\n                       achievable processes to be followed for continued operation if an\n                       emergency arises and establish oversight of the plans.\n\n\nFSA Response       In its August 1, 2005, written response to the draft report, FSA\n                   concurred with the findings and recommendations in the report, and\n                   provided timeframes for completing many of corrective actions.\n\nOIG Position       We agree with management decision for Recommendations 1, 2, 3, 4,\n                   and 6. The management decision for Recommendation 5 is contingent\n                   upon the pending Office of the Chief Information Officer decision\n                   regarding the waiver of Departmental requirements. If a waiver is not\n                   granted, then a corrective action plan and applicable timeframes are\n                   needed. For Recommendation 7, additional clarification is needed on\n                   when the updated contingency plan instructions will be provided to\n                   county offices and the procedures to provide oversight of the plans to\n                   ensure that they accurately describe expected actions.\n\n\n\n\nUSDA/OIG-A/03099-195-KC                                                             Page ii\n\x0cAbbreviations Used in This Report\n\n\nADP            Automated Data Processing\nAPSS           Automated Price Support System\nC&A            Certification and Accreditation\nCCC            Commodity Credit Corporation\nCS             Cyber Security\nDM             Departmental Manual\nDR             Departmental Regulation\nFSA            Farm Service Agency\nID             Identification\nIT             Information Technology\nITS            Information Technology Services\nITSD           Information Technology Services Division\nNIST           National Institute of Standards and Technology\nOCFO           Office of the Chief Financial Officer\nOCIO           Office of the Chief Information Officer\nOIG            Office of Inspector General\nOMB            Office of Management and Budget\nPSD            Price Support Division\nRA             Risk Assessment\nUSDA           United States Department of Agriculture\n\n\n\n\nUSDA/OIG-A/03099-195-KC                                         Page iii\n\x0cTable of Contents\n\nExecutive Summary ....................................................................................................................... i\n\nBackground and Objectives ......................................................................................................... 1\n\nFindings and Recommendations.................................................................................................. 3\n\n    Section 1 Application Programming ...................................................................................... 3\n\n        Finding 1            FSA Lacks Assurance that Price Support Loan Application is\n                             Correctly Programmed to Validate Data....................................................... 3\n                                 Recommendation 1 ................................................................................ 4\n                                 Recommendation 2 ................................................................................ 5\n\n    Section 2. Application Access ................................................................................................. 7\n\n        Finding 2            Logical Access Controls Security Needs Strengthening............................... 7\n                                 Recommendation 3 ................................................................................ 8\n                                 Recommendation 4 ................................................................................ 9\n        Finding 3            Remote Access Security Needs Strengthening ............................................. 9\n                                 Recommendation 5 .............................................................................. 10\n\n    Section 3. Documentation ..................................................................................................... 12\n\n        Finding 4            Inadequate Risk Assessment Documentation ............................................. 12\n                                 Recommendation 6 .............................................................................. 13\n        Finding 5            Contingency Plans Need Revision .............................................................. 13\n                                 Recommendation 7 .............................................................................. 14\n\nScope and Methodology.............................................................................................................. 16\n\nExhibit A \xe2\x80\x93 FSA Response ......................................................................................................... 17\n\n\n\n\nUSDA/OIG-A/03099-195-KC                                                                                                         Page iv\n\x0cBackground and Objectives\nBackground         Application controls are the structure, policies, and procedures that\n                   apply to separate, individual application systems. An application\n                   system is typically a collection or group of individual computer\n                   programs that relate to a common function.             In the Federal\n                   Government, some applications may be complex, comprehensive\n                   systems, involving numerous computer programs and organizational\n                   units, such as those associated with benefit payment systems.\n                   Application controls can encompass both the routines contained within\n                   the computer program code, and the policies and procedures associated\n                   with user activities, such as manual measures performed by the user to\n                   determine that data, was processed accurately by the computer.\n\n                   Application controls help make certain that transactions are valid,\n                   properly authorized, and completely and accurately processed by the\n                   computer. In addition, general security controls and automated controls\n                   built into the operating system that support the application should also\n                   be considered. Weak controls that allow physical or logical access to\n                   the computers that store application data could be used to circumvent\n                   the controls established within the application itself.\n\n                   The Commodity Credit Corporation (CCC) is a Government owned\n                   corporation created in 1933 to stabilize, support, and protect farm\n                   income and prices; to help maintain balanced and adequate supplies of\n                   agricultural commodities, including products, foods, feeds, and fibers;\n                   and to help in the orderly distribution of these commodities.\n                   Management of the CCC is vested in a board of directors, subject to the\n                   general supervision and direction of the Secretary of Agriculture. The\n                   activities of the CCC are carried out mainly by the personnel and\n                   through the facilities of the Farm Service Agency (FSA) and its State\n                   and county committees. There are 51 FSA State offices and about\n                   2,500 U.S. Department of Agriculture (USDA) Service Centers.\n                   Additionally, the FSA maintains field office personnel in Kansas City\n                   and St. Louis, Missouri, and Salt Lake City, Utah.\n\n                   Various laws have emphasized the need to protect agencies\xe2\x80\x99 sensitive\n                   and critical data, including the Privacy Act of 1974, the Federal\n                   Information Security Management Act of 2002, and the Paperwork\n                   Reduction Act of 1995. Departmental responsibilities were recently\n                   reemphasized in the Clinger-Cohen Act of 1996 and Presidential\n                   Decision Directive 63, \xe2\x80\x9cPolicy on Critical Infrastructure Protection.\xe2\x80\x9d\n                   Additionally, the Government Information Security Reform Act was\n                   enacted on October 30, 2000. This Act codified the existing\n                   requirements of the Office of Management and Budget\xe2\x80\x99s (OMB)\nUSDA/OIG-A/03099-195-KC                                                             Page 1\n\x0c                   Circular A-130, Appendix III, Security of Federal Automated\n                   Information Resources. Computer security at USDA is addressed in\n                   Departmental Manual (DM) 3140-1, Management Automated Data\n                   Processing (ADP) Security Manual, and various Departmental\n                   Regulations (DR). Additionally, the FSA has issued certain security\n                   guidelines in a series of IRM Handbooks.\n\n                   FSA uses a software application called the Automated Price Support\n                   System (APSS) to carryout the CCC marketing assistance loan\n                   program. The price support loan application is software within the\n                   APSS that facilitates marketing assistance loans provided to producers\n                   at harvest time, or after, to meet cash flow needs without having to sell\n                   their commodities when market prices are typically at harvest-time\n                   lows. Marketing loans allow producers to store production at harvest\n                   facilities and market their commodities throughout the year. Marketing\n                   assistance loans for covered commodities are pledged as loan collateral,\n                   and producers have the option of delivering the pledged collateral to the\n                   CCC as full payment for the loan at maturity. Market loan repayment\n                   provisions specify, under certain circumstances, that producers may\n                   repay loans at less than principal plus accrued interest and other\n                   charges. For crop year 2002, FSA/CCC processed 176,000 loans that\n                   totaled about $7.5 billion.\n\n                   The APSS was developed to completely record county office data for\n                   the marketing loan assistance and loan deficiency payments made to\n                   producers. The APSS is comprised of a distributed data processing\n                   system that provides field offices the capability to make and service\n                   commodity loans and loan deficiency payments and a reporting and\n                   accounting feeder system that provides centralized tracking of all loan\n                   detail (transactions) and summary reporting capabilities. The price\n                   support loan application calculates the commodity loans, prepares loan\n                   documents and disbursements, provides for repayments, transfers,\n                   forfeitures, settlements, establishes receivables, and calculates interest\n                   charges. The system interfaces with accounting, inventory and\n                   production adjustment applications, and summarized data files are\n                   transmitted from the county and State offices on a daily or weekly\n                   basis for use in preparation of national level reports.\n                   The USDA Office of Inspector General (OIG), conducted nationwide\n                   audits of selected USDA agencies to assess overall application\n                   controls of their computer systems to ensure the confidentiality,\n                   integrity, and availability of information. The FSA was one of the\n                   agencies selected for review.\n\nObjectives         The objective of this audit was to determine if FSA had adequate\n                   management, security, and programming control over its price support\n                   loan application.\nUSDA/OIG-A/03099-195-KC                                                              Page 2\n\x0cFindings and Recommendations\nSection 1 Application Programming\n\n\n\nFinding 1          FSA Lacks Assurance that Price Support Loan Application\n                   is Correctly Programmed to Validate Data\n\n                   The price support loan application lacks several automatic checks to\n                   validate critical information that is used to make loan decisions. For\n                   example, the application should filter out loan requests that are made\n                   after the final date that a loan is available, but our testing showed it\n                   would allow loans to be made up to 2 months after this date has passed.\n                   However, we were unable to determine why these checks have not been\n                   incorporated into the application because FSA has not adequately\n                   recorded and retained documentation showing the changes it has made\n                   to the system through the years and FSA officials could not otherwise\n                   provide any information to explain the omissions. The application may\n                   have lacked these checks in its original programming, or the agency\n                   may have removed the checks in subsequent updates. In either case,\n                   without documentation tracking the history of changes made to the\n                   application, the agency cannot be assured that changes made to the\n                   system are authorized and accurate.\n\n                   Federal standards mandate that data within computer systems must be\n                   validated continuously, which involves determining if it is accurate,\n                   complete, consistent, and reasonable (Federal Information Processing\n                   Standards 73). To accomplish this goal, agencies incorporate automatic\n                   validation controls that restrict users from entering predictably invalid\n                   data (e.g., wrong State codes), changing critical data (e.g., Federal loan\n                   interest rates), superceding established timeframes (e.g., submitting a\n                   loan request past the due date), and so on.\n\n                   As users discover validation weaknesses in an application, agencies\n                   update the automatic controls to fix the problem. DM 3200-001 holds\n                   that changes made to major applications should be maintained\n                   throughout the life cycle of that system. Chapter 1.6 calls complete and\n                   accurate documentation of major application systems \xe2\x80\x9cessential.\xe2\x80\x9d More\n                   specifically, chapter 2.8 requires that managers maintain documentation\n                   related to the development, operation, and maintenance of an\n                   application throughout its use by an agency. DM 3200-002 also\n                   requires agencies to document software changes.\n\n\n\n\nUSDA/OIG-A/03099-195-KC                                                               Page 3\n\x0c                   Our tests determined several validation weaknesses in FSA\xe2\x80\x99s price\n                   support loan application. In our tests at the FSA test site, the\n                   application:\n\n                   \xe2\x80\xa2      Accepted crop loans 2 months after the final loan availability\n                          date for a given crop,\n\n                   \xe2\x80\xa2      Permitted users to change interest rate tables, established yield\n                          tables, and service fees, which are critical to determining loan\n                          parameters,\n\n                   \xe2\x80\xa2      Prevented users from entering accurate information (e.g., test\n                          crop weights ending in 50 were not accepted by the system).\n                          For example, while entering a loan, a test weight of 250 was\n                          entered but the computer would not accept this number so a test\n                          weight of 300 was entered and accepted by the system. We\n                          tested various test weight numbers in increments of \xe2\x80\x9c50\xe2\x80\x9d (i.e.,\n                          150, 250, 350, etc) and found these would not be accepted by\n                          the system.\n\n                   \xe2\x80\xa2      Changed information input by the user (e.g., an entry of\n                          2.56 bushels per acre was changed to 3156, and \xe2\x80\x98K\xe2\x80\x99 entered as a\n                          response to a yes (Y) or no (N) question was taken as a no (N)),\n                          and\n\n                   \xe2\x80\xa2      Allowed inaccurate State codes to be entered.\n\n                   Proposed changes to FSA\xe2\x80\x99s price support loan application go through\n                   an appropriately rigorous process of development and testing before\n                   they are implemented throughout the agency. The agency, though, has\n                   not kept track of all the changes that it has made to validation controls.\n                   It also has not compiled the updates as they are released. This lack of\n                   documentation may lead to the agency undoing preceding\n                   programming changes designed to enhance the validation controls\n                   within the application. Any or all of the weaknesses identified above,\n                   for example, may have developed from conflicts between programming\n                   changes. Alternately, implemented validation controls may have been\n                   incorrectly removed if an older software update was re-released,\n                   in effect returning the application to an earlier, less effective version.\n                   The correction of these individual weaknesses could enhance the\n                   overall strength of the application\xe2\x80\x99s automatic validation control.\n\nRecommendation 1\n\n                   Conduct a detailed analysis of the adequacy of the key validation\n                   controls for the price support application.\nUSDA/OIG-A/03099-195-KC                                                               Page 4\n\x0cRecommendation 2\n\n                   Develop and document validation controls to mitigate the specific\n                   weaknesses cited above and those identified during the detailed\n                   analysis.\n\n                   FSA Response.\n\n                   In its August 1, 2005, response, FSA concurred with\n                   Recommendations 1 and 2, and the Price Support Division (PSD)\n                   conducted a preliminary detailed review and analysis specific to the\n                   weaknesses addressed in Finding 1. Of the weaknesses cited, PSD\n                   developed a validation control to accept a marketing assistance loan\n                   application within the final loan availability period applicable to the\n                   crop. This software enhancement will be released in county Release\n                   568 and was scheduled to be released on July 25, 2005.\n\n                   PSD analysis found one screen where the alpha, other then \xe2\x80\x9cY\xe2\x80\x9d or \xe2\x80\x9cN\xe2\x80\x9d\n                   was permitted to a question requiring a yes or no response. PSD will\n                   issue a user requirement to request an enhancement to this validation.\n                   The user requirement will be completed by August 31, 2005.\n\n                   FSA also stated that they found through their analysis that APSS does\n                   validate against test weight that is not applicable to a specific\n                   commodity.\n\n                   Human interaction is required for the remaining weaknesses cited in the\n                   audit which make an automated validation impossible. However, PSD\n                   will issue a directive to the State and county offices reminding them of\n                   the procedure for maintaining table files and to ensure program\n                   validations are correctly applied.\n\n                   FSA is in the beginning stages to develop a web based eLOAN\n                   application process via the internet. When this is completed, the APSS\n                   will not be needed to support marketing assistance loans. The user\n                   requirement was issued to address this project on June 26, 2005. A\n                   more in-depth validation system will be implemented with this process\n                   in all activities pertaining to all programs currently used by APSS.\n\n                   Because all resources are assigned to the eGOV initiatives, any\n                   additional enhancements in APSS may he prohibited, as directed by\n                   FSA Administration and the Information Technology Services Division\n                   (ITSD). However, FSA will make every attempt to ensure that\n                   validations remain a top priority in development of software. FSA\xe2\x80\x99s\n\nUSDA/OIG-A/03099-195-KC                                                             Page 5\n\x0c                   response shows that the target date for completing final action is\n                   August 31, 2005.\n\n                   OIG Position.\n\n                   We clarified what information was tested in the bullet shown above\n                   regarding test weight numbers in increments of \xe2\x80\x9c50\xe2\x80\x9d (150, 250, 350)\n                   and performed additional testing for corn and wheat using a test weight\n                   of 50. We found that the APSS should not and does not allow a 50 test\n                   weight for wheat in all grades (1-5) and correctly does allow a 50 test\n                   weight for corn. Therefore, we accept management decision for\n                   Recommendations 1 and 2. For final action, FSA will need to report to\n                   the Office of the Chief Financial Officer (OCFO) that the proposed\n                   actions have been accomplished.\n\n\n\n\nUSDA/OIG-A/03099-195-KC                                                            Page 6\n\x0cSection 2. Application Access\n\n\n\nFinding 2                             Logical Access Controls Security Needs Strengthening\n\n                                      FSA does not have adequate control over logical access to its price\n                                      support loan application. 1 FSA direction inappropriately requires\n                                      employees to divulge their passwords to other employees, and systems\n                                      are not set to adequately restrict access. With loose control over\n                                      passwords and protective steps not taken, the price support loan\n                                      application becomes vulnerable to unauthorized use and FSA becomes\n                                      less capable of establishing accountability for that misuse.\n\n                                      According to National Institute of Standards and Technology (NIST)\n                                      800-12, if passwords are used for authentication, organizations should\n                                      teach users not to use easy-to-guess passwords, not to divulge their\n                                      passwords, and not to store passwords where others can find them. 2\n\n                                      Counter to these requirements, agency, State, and county guidance\n                                      direct employees to make their passwords available to other employees\n                                      for administrative purposes. FSA\xe2\x80\x99s handbook of computer operations\n                                      directs field offices to print and store user identifications and\n                                      passwords. 3 Also,\n\n                                       \xe2\x80\xa2          a State office notice required all county offices in a State to\n                                                  send master security user identifications (ID) and passwords to\n                                                  the State office. 4 Employees at the State office share these\n                                                  master security ID and passwords and,\n\n                                       \xe2\x80\xa2          another FSA county office required all its employees to provide\n                                                  their passwords to another employee who locks these passwords\n                                                  in a safe. For example, if someone tampers with the application\n                                                  using employee A\xe2\x80\x99s password, but employee B also has access\n                                                  or knows the password, it will be difficult to establish which\n                                                  employee damaged the system.\n\n                                       \xe2\x80\xa2          The password change interval is set at 90 days on the operating\n                                                  system. Cyber Security (CS) requires passwords for all\n                                                  systems, applications or processes to be changed every 60 days\n\n1\n  Logical access is the ability that users have to use, change, or view a computer system. To control that access means to restrict their ability to\ninteract with the system. Logical access controls can be built into the operating system (e.g., automatically logging a user out after a period of\ninactivity), or incorporated into the applications that run on that system (e.g., passwords) (NIST 800-12 ch. 17).\n2\n  NIST 800-14, \xe2\x80\x9cGenerally Accepted Principles for Securing IT Systems,\xe2\x80\x9d Sept. 1996, sect. 3.11.3.\n3\n  FSA Handbook 2-IRM, \xe2\x80\x9cComputer Operations for the GSS A and B,\xe2\x80\x9d May 29, 2003, para. 281.F(5).\n4\n  MO Notice IRM-36, \xe2\x80\x9cADP Password Changes,\xe2\x80\x9d December 8, 2003, Exhibit 3.\nUSDA/OIG-A/03099-195-KC                                                                                                                  Page 7\n\x0c                                                  for general users. Passwords issued to system administrators,\n                                                  system managers, and software engineers or those that are used\n                                                  for dial-in access are to be changed every 30 - 45 days. 5 By\n                                                  leaving the passwords the same for longer than recommended,\n                                                  the agency increases the risk that an unauthorized user will gain\n                                                  and retain access to the application.\n\n                                         \xe2\x80\xa2        In two county offices we visited, the computers did not\n                                                  automatically logout the user after a period of inactivity.\n                                                  Leaving open conduits into the application makes the\n                                                  application vulnerable to tampering and enhances the risk of\n                                                  exposing sensitive information to unauthorized access.\n\n                                       Combined, these logical access control weaknesses increase FSA\xe2\x80\x99s\n                                       price support loan application vulnerability to misuse. Should an\n                                       unauthorized user exploit these weaknesses, FSA\xe2\x80\x99s ability to establish\n                                       accountability will be hampered since employees will have access to\n                                       other employees\xe2\x80\x99 passwords.\n\nRecommendation 3\n\n                                       Revise FSA direction on logical access control guidance to be\n                                       consistent with Departmental requirements. Revise agency, State, and\n                                       county directives to instruct FSA employees on new password\n                                       requirements implemented and to properly safeguard master security\n                                       IDs and passwords.\n\n                                       FSA Response.\n\n                                       In its August 1, 2005, response, FSA agreed with the recommendation.\n                                       Also, FSA Handbook 2-IRM will be revised to direct users to change\n                                       their passwords every 60 days and to not include passwords when\n                                       preparing a list of User IDs. A notice will be issued directing State and\n                                       County personnel to update all local directives to comply with these\n                                       changes. Also, ITSD plans to implement these corrective actions\n                                       before October 1, 2005.\n\n                                       OIG Position.\n\n                                       We accept management decision for Recommendation 3. For final\n                                       action, FSA will need to report to the OCFO that the proposed actions\n                                       have been accomplished.\n\n\n\n5\n    CS-13, \xe2\x80\x9cPasswords,\xe2\x80\x9d Chapter 6 Part 5, \xe2\x80\x9cControlled Access Protection (C2)\xe2\x80\x9d, March 6, 2002, sect 2.\nUSDA/OIG-A/03099-195-KC                                                                                     Page 8\n\x0cRecommendation 4\n\n                                          Ensure that employees who have made their passwords and IDs\n                                          available to others obtain new unique passwords and user IDs. Set\n                                          computer system password and workstation logout controls, as\n                                          required, by Departmental security guidance.\n\n                                          FSA Response.\n\n                                          In its August 1, 2005, response, FSA indicated that user passwords will\n                                          be changed according to the 60 day cycle. Any employees who have\n                                          made their passwords and ID\xe2\x80\x99s available to others will be instructed to\n                                          reset their passwords and not share their ID\xe2\x80\x99s or passwords with others.\n                                          Every employee will have a unique ID with a password known only to\n                                          the employee. It is not feasible to issue new user ID\xe2\x80\x99s. The User IDs\n                                          have been stored in numerous audit trail files. The new User ID would\n                                          start out as a completely new user with no way to link the new User ID\n                                          to the activities of the old User ID.\n\n                                          The IBM S/36 does not have an option to logout a user after a specified\n                                          time. If a disconnection is forced from a higher level (network or\n                                          AS/400 hosting system), the hard termination of a users session can\n                                          cause data corruption in many of our applications. The S/36 does not\n                                          have a database management system with commit/rollback capabilities.\n                                          If a user is in the middle of a transaction and their session gets\n                                          terminated, half of a transaction may be recorded. Implementing a\n                                          forced disconnection would present a larger risk than the one we would\n                                          he trying to mitigate. Also, ITSD will instruct employees to change\n                                          their passwords by the end of the Fiscal Year (or sooner).\n\n                                          OIG Position.\n\n                                          We accept management decision for Recommendation 4. For final\n                                          action, FSA will need to report to the OCFO that the proposed actions\n                                          have been accomplished.\n\n\n\n\nFinding 3                                 Remote Access Security Needs Strengthening\n\n                                          FSA does not have adequate control over external access to information\n                                          contained within its price support loan application. FSA management\n                                          did not institute security controls that were capable of encrypting 6 data\n                                          in some locations because they believed the cost was too high, and the\n\n6\n    Encryption is the process of disguising information or data so that it is unintelligible to an unauthorized person.\nUSDA/OIG-A/03099-195-KC                                                                                                   Page 9\n\x0c                                     encryption, or other security transmission measures, significantly slow\n                                     the transmission through the transmission method used to an\n                                     unacceptable level. This decision left the data at risk of being\n                                     compromised.\n\n                                     We found that about 155 of 2,500 FSA service centers do not encrypt\n                                     information before transmitting it to FSA\xe2\x80\x99s main computer system.\n                                     The 155 service centers transmitted sensitive information, including\n                                     information on about 2,600 loans, totaling $163 million made for crop\n                                     year 2002 using an inappropriate method. Without encryption or other\n                                     security transmission measures, sensitive information is not adequately\n                                     protected. USDA standards 7 state that all USDA ADP installations\n                                     should protect sensitive data by use of file level passwords, read/write\n                                     locks, and/or encryption. These same standards 8 advocate that all\n                                     USDA ADP installations consider encrypting sensitive data to protect it\n                                     while being transmitted via telecommunications. In addition, DM\n                                     3550-002 9 now clarifies that sensitive, but unclassified information,\n                                     transmitted by frame relay, is to be encrypted.\n\n                                     FSA has neither required that the county offices submit their data\n                                     securely, nor replaced the transmission method to allow encryption to\n                                     be utilized for these 155 locations. Agency officials indicated that they\n                                     believed the cost to switch to a transmission method that enables\n                                     encryption to be acceptably used was prohibitive, based on the small\n                                     activity level in these locations.\n\nRecommendation 5\n\n                                     Consult with the Office of the Chief Information Officer (OCIO) and\n                                     implement adequate security to ensure that all sensitive data is\n                                     transmitted securely, in accordance with Departmental and federal\n                                     encryption requirements and update agency procedures, as needed.\n\n                                     FSA Response.\n\n                                     In its August 1, 2005, response, FSA indicated that the majority of FSA\n                                     service centers encrypt data before transmission to FSA\xe2\x80\x99s central\n                                     computer systems. Approximately 155 service centers are currently\n                                     unable to use Virtual Private Network conduits to transmit their data\n                                     with encryption. These are small, low volume service centers. Given\n                                     the current budget constraints and possible future office consolidations,\n                                     as well as current efforts to migrate existing AS/400 applications to a\n                                     central web environment, it is not cost effective to dedicate resources to\n\n7\n  DM 3140-1, Management ADP Security Manual, section 15 (b).\n8\n  DM 3140-1, Management ADP Security Manual, section 18.\n9\n  DM 3550-002, Sensitive but Unclassified Protection Information, chapter 10, part 2, table 3 dated February 17, 2005.\nUSDA/OIG-A/03099-195-KC                                                                                                  Page 10\n\x0c                   implement this type of security for 155 low volume sites. FSA is\n                   consulting with OCIO\xe2\x80\x99s Information Technology Services (ITS) on this\n                   issue. ITS, which is now responsible for FSA\xe2\x80\x99s Information Technology\n                   (IT) infrastructure, is looking into this issue and may request a waiver\n                   to Departmental requirements in this area. Also, the FSA response\n                   indicated that OCIO plans to submit a waiver request by\n                   August 15, 2005.\n\n                   OIG Position.\n\n                   Management decision for Recommendation 5 is contingent on the\n                   pending OCIO decision regarding the waiver of Departmental\n                   requirements. If a waiver is not granted, a corrective action plan that\n                   shows how the 155 sites will transmit data in accordance with\n                   Departmental regulations and applicable timeframes is needed. For\n                   final action, FSA will need to report to the OCFO that the proposed\n                   actions have been accomplished.\n\n\n\n\nUSDA/OIG-A/03099-195-KC                                                            Page 11\n\x0cSection 3. Documentation\n\n\n\nFinding 4          Inadequate Risk Assessment Documentation\n\n                   The documentation used by a contractor FSA hired to perform a risk\n                   assessment for its price support loan application did not include all\n                   relevant information to provide an accurate assessment. The contractor\n                   did not include a network topology\xe2\x80\x94essentially, a blueprint of the\n                   computer network\xe2\x80\x94that should have been reviewed prior to\n                   determining the risks associated with the application, as well as\n                   omitting other crucial information. FSA believed that the contractor\n                   had this knowledge, but it did not pursue obtaining the documentation\n                   from the contractor. As a result, FSA could not be assured that the\n                   risks attributable to its mission-critical system have been considered\n                   and that appropriate steps have been taken to mitigate these risks.\n\n                   NIST guidance for a risk assessment of an IT system requires an\n                   understanding of the system\xe2\x80\x99s processing environment. To perform a\n                   risk assessment, some system-related information must be collected. A\n                   current network topology is one of the additional documents needed to\n                   develop a knowledge of the environment and operations of the IT\n                   system and its data.\n\n                   We reviewed the assessment completed in May 2003, by FSA\xe2\x80\x99s\n                   contractor. The assessment lacked (1) a network topology, (2) a list of\n                   APSS personnel (of which, the price support loan application is a part),\n                   and (3) information about a database used to update information about\n                   loans and loan deficiency payments made to producers. Instead, there\n                   were blank highlighted sections that an FSA official indicated were for\n                   FSA staff to insert specific names or information at some later date.\n\n                   FSA\xe2\x80\x99s risk assessments were in the process of being updated and\n                   completed in support of the certification and accreditation requirements\n                   at the time of our review. The documentation showed that as of\n                   February 2004, no topology had been included in the assessment. In\n                   March 2004, two FSA officials said that there was no network topology\n                   available for FSA\xe2\x80\x99s APSS and, by connection, the price support loan\n                   application. In April 2004, FSA stated that one contractor had\n                   performed the risk assessments for all of FSA\xe2\x80\x99s computer systems and\n                   should be familiar with the network topology. The FSA has recently\n                   completed the certification and accreditation process and the topology\n                   is now included.\n\nUSDA/OIG-A/03099-195-KC                                                            Page 12\n\x0cRecommendation 6\n\n                   Conduct sufficient reviews of completed risk assessments, and ensure\n                   each risk assessment includes documentation establishing that all\n                   needed elements have been considered as part of the assessment\xe2\x80\x99s\n                   development (e.g., network topology, list of system personnel, and\n                   connected applications) prior to acceptance of the work and payment of\n                   the contractor.\n\n                   FSA Response.\n\n                   In its August 1, 2005, response, FSA indicated that as part of the\n                   Certification and Accreditation (C&A) process for the APSS\n                   (completed September 2004), the risk assessment (RA) document was\n                   updated to include all required elements. FSA follows current\n                   Department of Agriculture C&A guidelines in reviewing the RA, and\n                   FSA will work to ensure that all needed elements are contained in\n                   future RA documents. Also, FSA has indicated they are already in\n                   compliance with the recommendation; therefore, no further action is\n                   needed.\n\n                   OIG Position.\n\n                   We accept management decision for Recommendation 6. For final\n                   action, FSA will need to report to the OCFO that the corrective actions\n                   have been accomplished.\n\n\n\n\nFinding 5          Contingency Plans Need Revision\n\n                   FSA\xe2\x80\x99s contingency plans for county offices to continue operation of\n                   their price support loan application, in the event of disaster, does not\n                   reflect the expected recovery actions to be taken. Specifically, the\n                   alternate sites designated to carry on operations did not have the\n                   computing capacity to effect the application. In prior emergencies that\n                   shut down an office\xe2\x80\x99s application (e.g., tornadoes), FSA had sent\n                   personnel and equipment to restore operations rather than following the\n                   contingency plan procedures the agency put in place. These ad hoc\n                   recoveries, however, are not explained or formalized within the county\n                   offices\xe2\x80\x99 written plans.\n\n                   NIST 800-12 calls for agencies to plan how to keep their critical\n                   functions operating in the event of disruptions as an essential element\n\n\nUSDA/OIG-A/03099-195-KC                                                           Page 13\n\x0c                                    of contingency planning. 10 As the final step in planning, an agency\n                                    must test the plan along several dimensions to make sure that it will\n                                    work to continue operations. 11\n\n                                    We reviewed the plans for three county offices to determine if they\n                                    were sufficient to restore operations in the event of a disruption. Each\n                                    of the offices had agreements with their neighboring county offices to\n                                    run the application on their computers in cases of system failure. In all\n                                    three cases, the offices\xe2\x80\x99 computers, however, did not appear to have\n                                    enough disk space to upload the neighboring office\xe2\x80\x99s systems and\n                                    continue to run their own workload as well. 12 According to disk space\n                                    capacity reports, each office was using 57 percent of its own disk space\n                                    for part of its operating system. Consequently, running the systems of\n                                    two offices together might exceed the disk space available.\n\n                                    In one State office, FSA officials acknowledged that some parts of the\n                                    contingency plans could be improved. In two other State offices, they\n                                    stated that they relied on agency personnel to restore their system with\n                                    new equipment and programs. These personnel informed us that they\n                                    had prepared their plans using the guidance provided in FSA\n                                    procedures. FSA headquarters personnel stated that they usually\n                                    provide the required equipment to the disabled county.\n\n                                    Relying on FSA headquarters personnel does not supplant the need for\n                                    a formal contingency plan that outlines the actual steps that a county\n                                    office must take to recover operations.\n\nRecommendation 7\n\n                                    Revise contingency plans for all county offices that will provide for\n                                    achievable processes to be followed for continued operation of the\n                                    application, if an emergency arises. Establish oversight of the plans to\n                                    ensure that they accurately describe expected actions.\n\n                                    FSA Response.\n\n                                    In its August 1, 2005, response, FSA indicated that Finding 5\n                                    (Contingency Plans Need Revision) appears to focus on the need for\n                                    additional documentation covering all of the various options available\n                                    to recover county office operations in the event of an emergency,\n                                    service disruption, or hardware failure. While the FSA contingency\n                                    plan for county offices does reflect the expected recovery actions to be\n\n10\n   Chapter 11.\n11\n   Chapter 11.6.\n12\n   The AS/400 System 36 is an integrated system where the AS/400 provides the platform and core operating system for the Advance System 36\nemulation. System 36 is required for most state and county office legacy applications to operate.\nUSDA/OIG-A/03099-195-KC                                                                                                       Page 14\n\x0c                   taken, it is true that options, other than the transfer of operations to an\n                   alternate site, have been used in order to recover operations. These\n                   options may include replacing failed or damaged hardware, moving\n                   hardware from a disaster site to a suitable alternate location, or using\n                   existing hardware at an alternate site to continue operations.\n                   Step-by-step procedures covering each of these options, as well as\n                   criteria for selecting an appropriate recovery option, should be\n                   incorporated into an updated contingency plan.\n\n                   FSA also disputed that the disk space capacity may not allow both\n                   offices running the applications for two service centers in that two\n                   copies of the operating system and application libraries are not\n                   required. Only the data files from the disaster site need to be loaded\n                   upon the system at the alternate site. Therefore, the actual amount of\n                   space required for establishing the disaster site on the alternate system\n                   will be significantly lower than the sum of the two disk space\n                   utilization figures. Also, FSA has indicated they are already in\n                   compliance with the recommendation; therefore, no further action is\n                   needed.\n\n                   OIG Position.\n\n                   We were unable to accept management decision for Recommendation 7\n                   without additional clarification regarding whether FSA will or has\n                   issued step-by-step procedures covering each of the recovery options,\n                   the criteria for selecting an appropriate recovery option, and how this\n                   option should be incorporated into each county office updated\n                   contingency plan. Also, information is needed detailing the procedures\n                   to provide oversight of the plans to ensure that they accurately describe\n                   expected actions along with the timeframes.\n\n\n\n\nUSDA/OIG-A/03099-195-KC                                                              Page 15\n\x0cScope and Methodology\n                   Our audit was part of a nationwide audit of selected USDA\n                   agencies and selected applications within these agencies. We\n                   tested an application contained within the APSS to determine if\n                   selected application system controls (manual or automated) are in\n                   place and functioning effectively to ensure transactions are\n                   properly authorized, completely processed, and accurately\n                   processed. The APSS consists of price support loans, price\n                   support loan deficiency payments, and price support graze out\n                   payments.\n                   We selected FSA\xe2\x80\x99s price support loan application, based on the\n                   size of the application and the type of processing it conducted.\n                   We conducted our review through interviews, review of FSA\n                   procedures and records, and observations.\n                   To accomplish our audit objective, we performed the following\n                   procedures:\n                   \xe2\x80\xa2   Gained an understanding of the FSA IT environment;\n                   \xe2\x80\xa2   Reviewed agency, Departmental, and other Federally\n                       mandated IT security policies and procedures;\n                   \xe2\x80\xa2   Interviewed responsible officials for managing the price\n                       support loan application, and reviewed and analyzed FSA\n                       records;\n                   \xe2\x80\xa2   Performed detailed testing of FSA\xe2\x80\x99s logical and physical\n                       access controls for one mission-critical application, and\n                       software controls by analyzing records and controls\n                       established to ensure the security of FSA\xe2\x80\x99s price support loan\n                       application; and\n                   \xe2\x80\xa2   Conducted testing at Kansas City, Missouri, Beacon Facility\n                       and three county offices in three States.\n\n                   Audit fieldwork was performed from February 2004 through\n                   August 2004. The audit was conducted in accordance with\n                   Government Auditing Standards.\n\n\n\n\nUSDA/OIG-A/03099-195-KC                                                            Page 16\n\x0cExhibit A \xe2\x80\x93 FSA Response\n                           Exhibit A \xe2\x80\x93 Page 1 of 7\n\n\n\n\nUSDA/OIG-A/03099-195-KC                 Page 17\n\x0cUSDA/OIG-A/03099-195-KC   Page 18\n\x0cUSDA/OIG-A/03099-195-KC   Page 19\n\x0cUSDA/OIG-A/03099-195-KC   Page 20\n\x0cUSDA/OIG-A/03099-195-KC   Page 21\n\x0cUSDA/OIG-A/03099-195-KC   Page 22\n\x0cUSDA/OIG-A/03099-195-KC   Page 23\n\x0cInformational copies of this report have been distributed to:\n\nAdministrator, FSA\n    ATTN: Agency Liaison Officer                                (6)\nGovernment Accountability Office                                (1)\nOffice of Management and Budget                                 (1)\nOffice of the Chief Financial Officer\n     Director, Planning and Accountability Division             (1)\n\x0c'